[Samba] samba 4.5.1 tdb panic with ZFS

[Brian Candler via samba]

I am trying to install samba 4.5.1 from source, as a domain controller
only, under Ubuntu 16.04, with ZFS filesystem (actually inside an lxd
container with ZFS backing).

Out-of-the-box, samba-tool domain provision does not like the filesystem:

ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed -
ProvisioningError: Your filesystem or build does not support posix ACLs,
which s3fs requires. Try the mounting the filesystem with the 'acl' option.

It seems that s3fs requires POSIX ACLs, and ZFS supports NFSv4 ACLs by
default. Some people recommend using "--use-ntvfs" but that is
deprecated and indeed removed from samba 4.5.

I found a page which said to set some zfs attributes:
https://morph027.gitlab.io/post/zfs-on-linux-and-samba4-acl/

root@proxmox:~# zfs set acltype=posixacl
vms/subvol-107-disk-1root@proxmox:~# zfs set aclinherit=passthrough
vms/subvol-107-disk-1 So I set those on my container, but I now get a
different error:

root@wrn-dc1:~# samba-tool domain provision --server-role=dc
--use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=AD.EXAMPLE.NET
--domain=AD
Administrator password will be set randomly!
You are not root or your system do not support xattr, using tdb backend
for attributes.
not using extended attributes to store ACLs and other metadata. If you
intend to use this provision in production, rerun the script as root on
a system supporting xattrs.
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad,DC=example,DC=net
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
xattr_tdb_removexattr() failed to get vfs_handle->data!
Security context active token stack underflow!
PANIC (pid 23231): Security context active token stack underflow!
BACKTRACE: 46 stack frames:
#0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f)
[0x7f7904837ca6]
#1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6d)
[0x7f7904837af7]
#2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28)
[0x7f791747174b]
#3
/usr/local/samba/lib/private/libsmbd-base-samba4.so(sec_ctx_active_token+0x94)
[0x7f7900b5d639]
#4
/usr/local/samba/lib/private/libsmbd-base-samba4.so(get_current_nttok+0x2e)
[0x7f7900b43f20]
#5 /usr/local/samba/lib/private/libsmbd-base-samba4.so(try_chown+0x78)
[0x7f7900b6fd88]
#6
/usr/local/samba/lib/private/libsmbd-base-samba4.so(set_nt_acl+0x3a9)
[0x7f7900b7023c]
#7 /usr/local/samba/lib/private/libsmbd-base-samba4.so(+0x280180)
[0x7f7900c8c180]
#8
/usr/local/samba/lib/private/libsmbd-base-samba4.so(smb_vfs_call_fset_nt_acl+0x58)
[0x7f7900b63903]
#9 /usr/local/samba/lib/vfs/acl_xattr.so(+0x4ee1) [0x7f78f243aee1]
#10 /usr/local/samba/lib/vfs/acl_xattr.so(+0x576e) [0x7f78f243b76e]
#11
/usr/local/samba/lib/private/libsmbd-base-samba4.so(smb_vfs_call_fset_nt_acl+0x58)
[0x7f7900b63903]
#12
/usr/local/samba/lib/python2.7/site-packages/samba/samba3/smbd.so(+0x20e4)
[0x7f7900fe40e4]
#13
/usr/local/samba/lib/python2.7/site-packages/samba/samba3/smbd.so(+0x2f7f)
[0x7f7900fe4f7f]
#14 python(PyEval_EvalFrameEx+0x6da2) [0x4cada2]
#15 python(PyEval_EvalCodeEx+0x255) [0x4c2765]
#16 python(PyEval_EvalFrameEx+0x6099) [0x4ca099]
#17 python(PyEval_EvalFrameEx+0x5d8f) [0x4c9d8f]
#18 python(PyEval_EvalCodeEx+0x255) [0x4c2765]
#19 python(PyEval_EvalFrameEx+0x6099) [0x4ca099]
#20 python(PyEval_EvalCodeEx+0x255) [0x4c2765]
#21 python(PyEval_EvalFrameEx+0x6099) [0x4ca099]
#22 python(PyEval_EvalCodeEx+0x255) [0x4c2765]
#23 python() [0x4de8b8]
#24 python(PyObject_Call+0x43) [0x4b0cb3]
#25 python(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
#26 python(PyEval_EvalCodeEx+0x255) [0x4c2765]
#27 python() [0x4de6fe]
#28 python(PyObject_Call+0x43) [0x4b0cb3]
#29 python(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
#30 python(PyEval_EvalCodeEx+0x255) [0x4c2765]
#31 python() [0x4de6fe]
#32 python(PyObject_Call+0x43) [0x4b0cb3]
#33 python(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
#34 python(PyEval_EvalCodeEx+0x255) [0x4c2765]
#35 python() [0x4de6fe]
#36 python(PyObject_Call+0x43) [0x4b0cb3]
#37 python(PyEval_EvalFrameEx+0x2ad1) [0x4c6ad1]
#38 python(PyEval_EvalCodeEx+0x255) [0x4c2765]
#39 python(PyEval_EvalCode+0x19) [0x4c2509]
#40 python() [0x4f1def]
#41 python(PyRun_FileExFlags+0x82) [0x4ec652]
#42 python(PyRun_SimpleFileExFlags+0x191) [0x4eae31]
#43 python(Py_Main+0x68a) [0x49e14a]
#44 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)
[0x7f79189f4830]
#45 python(_start+0x29) [0x49d9d9]
Can not dump core: corepath not set up

Does anyone else have samba 4.5 running with ZFS and if so how?
Otherwise I guess I need to rebuild this platform with a different
filesystem...

Thanks,

Brian.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny via samba]

Just don't use ZFS, you can only setup a DC on this if you use ntvfs
and, as you have found, this isn't installed any more.

Rowland

[Brian Candler via samba]

On 06/12/2016 14:48, Brian Candler wrote:
> root@wrn-dc1:~# samba-tool domain provision --server-role=dc
> --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=AD.EXAMPLE.NET
> --domain=AD
> Administrator password will be set randomly!
> You are not root or your system do not support xattr, using tdb
> backend for attributes.

Aside: the zfs "xattr" property is already on by default. Inside the
container it works for me with user xattrs:

root@wrn-dc1:~# setfattr -n user.bar -v baz /tmp/foo
root@wrn-dc1:~# getfattr -n user.bar /tmp/foo
getfattr: Removing leading '/' from absolute path names
# file: tmp/foo
user.bar="baz"

But when I strace "samba-tool domain provision":

open("/usr/local/samba/tmpE7Z_yH", O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW,
0600) = 3
fcntl(3, F_GETFD) = 0
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
fstat(3, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
fcntl(3, F_GETFL) = 0x28002 (flags
O_RDWR|O_LARGEFILE|O_NOFOLLOW)
setxattr("/usr/local/samba/tmpE7Z_yH", "security.NTACL",
"\1\0\1\0\0\0\2\0\1\0\0\200\34\0\0\0(\0\0\0\0\0
\0\0\0\0\0\0\1\1\0\0\0\0\0\5 \0\0\0\1\1\0\0\0\0\0\5 \0\0", 52, 0) = -1
EPERM (Operation not permitted)
write(2, "You are not root or your system "..., 89You are not root or

your system do not support xattr, using tdb backend for attributes.

) = 89
close(3) = 0
unlink("/usr/local/samba/tmpE7Z_yH") = 0
write(2, "not using extended attributes to"..., 171not using extended

attributes to store ACLs and other metadata. If you intend to use this
provision in production, rerun the script as root on a system supporting
xattrs.

) = 171

And indeed:

root@wrn-dc1:~# setfattr -n security.NTACL -v baz /tmp/foo
setfattr: /tmp/foo: Operation not permitted

The samba wiki only mentions zfs in passing in two places. Searching
further, it looks like Samba has ZFS support when run on Solaris:
https://lists.samba.org/archive/samba/2012-August/168660.html
and possibly FreeBSD. For Ubuntu I tried doing "apt-get install
libzfslinux-dev" and re-running "./configure", but there is no mention
of zfs in its output.

Ah OK... I've just seen Rowland's reply, "Just don't use ZFS". That's
clear enough :-)

Regards,

[Andrew Bartlett via samba]

On Tue, 2016-12-06 at 14:48 +0000, Brian Candler via samba wrote:
> I am trying to install samba 4.5.1 from source, as a domain
> controller 
> only, under Ubuntu 16.04, with ZFS filesystem (actually inside an
> lxd 
> container with ZFS backing).

Sadly while Samba contains all the moving parts required (like the ZFS
ACL module, backing Samba onto NFSv4 ACLs), we haven't had an skilled
and enthusiastic (for ZFS) python developer who can implement the < 100
lines or so required, and then the (larger) set of tests. 

Sorry,

Andrew Bartlett

Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

[Brian Candler via samba]

On 06/12/2016 16:06, Brian Candler wrote:
> Ah OK... I've just seen Rowland's reply, "Just don't use ZFS". That's
> clear enough :-)

FYI, I rebuilt the system using btrfs but initially I got the same issue
[^1]

It turns out this came from running inside an unprivileged lxd
container. After setting "security.privileged true" it was happy.

So I guess it might have been all right with ZFS, but I'll leave it as
it is now.

Regards,

Brian.

[^1]

...

You are not root or your system do not support xattr, using tdb backend
for attributes.

not using extended attributes to store ACLs and other metadata. If you
intend to use this provision in production, rerun the script as root on
a system supporting xattrs.

...

xattr_tdb_removexattr() failed to get vfs_handle->data!
Security context active token stack underflow!

PANIC (pid 32130): Security context active token stack underflow!

[Rowland Penny via samba]

On Tue, 6 Dec 2016 19:31:39 +0000

Brian Candler via samba <sa...@lists.samba.org> wrote:

> On 06/12/2016 16:06, Brian Candler wrote:
> > Ah OK... I've just seen Rowland's reply, "Just don't use ZFS".
> > That's clear enough :-)
>
> FYI, I rebuilt the system using btrfs but initially I got the same
> issue [^1]
>
> It turns out this came from running inside an unprivileged lxd
> container. After setting "security.privileged true" it was happy.
>
> So I guess it might have been all right with ZFS, but I'll leave it
> as it is now.
>

It wouldn't, ZFS uses NFSv4 ACLs and they are different from the ACLs
Samba AD DC expects. I took a try at getting it to work, but got
stuck, perhaps I should try again ?

Rowland

[Alex Crow via samba]

> It wouldn't, ZFS uses NFSv4 ACLs and they are different from the ACLs
> Samba AD DC expects. I took a try at getting it to work, but got
> stuck, perhaps I should try again ?
>
> Rowland
>
>

ZFSonLinux supports Posix ACLs (eg zfs set acltype=posixacl) and should
support xattrs.

Cheers
Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).